Ensure your business is compliant with the latest legal and payment services directive regulations. Our support team are always available to support you with any query 24/7, 365 days a year.
The 3-D Secure authentication is an additional fraud prevention scheme that is available to all companies using the Opayo systems to process transactions.
It allows shoppers to create and assign a password to their card that is then verified whenever a transaction is processed through a site that supports the use of the scheme. The addition of password protection allows extra security on transactions that are processed online.
3-D Secure stands for 3 Domain Server, there are 3 parties that are involved in the 3D Secure process:
The scheme is a collective of verified by VISA (VBV) and MasterCard secure code (MSC). It is the most recent fraud prevention initiative that is available at the moment.
3-D Secure is also the only fraud prevention scheme that is available that offers companies liability cover for transactions that are verified by the checks. This provides additional protection to companies using the scheme as opposed to those that do not.
As 3-D Secure is controlled by Visa and MasterCard the following cards can be used : Visa, Visa Delta, Mastercard, Mastercard Debit, international Maestro, UK Maestro, Laser, and Visa Electron.
Note: Vendors will need to confirm with their merchant bank for exact terms on liability shifts.
Opayo also advise using the 3-D Secure scheme alongside our other fraud prevention tools that are available to our customers.
The first thing is to ensure your ecommerce payments have 3D Secure activated within MyOpayo (if not already activated). You can find out how to do this on page 8 of our MyOpayo User Guide.
Depending on which payment integration your site uses with Opayo you may have to make some changes to the integration, so it is important to flag with your developer/IT that you may need to make some development changes ahead of time to ensure they will be ready to act for you.
Opayo has minimised the impact that this mandated change will have on you and your customers, keeping your business compliant for ecommerce transactions within the EEA. We recommend you update to Protocol 4.
Below you can find out if you need to make any changes to your integration:
Since 3DSv2 is mandated, you will no longer be able to bypass the checks by submitting the Apply3DSecure field with a value of ‘2’ for form, server or direct. You will need to change this value to ‘0’ or use one of the other permitted values (1 or 3). This is only likely if you have a bespoke Opayo integration with your website, but your web developer will be able to tell you if this is the case. If you have integrated using Pi, you will need to pass UseMSPSetting or one of the other permitted values (Force or ForceIgnoringRules).
If you don’t know which integration your website uses, you can find this in MyOpayo by clicking on any successful payment, then choose ‘Additional Details’ from the left menu. You will see the integration in the system used field.
If you would like to use the 3-D secure tool that is available on your account you will first need to activate these within your MyOpayo.
You are then able to add rules to your account to automatically review transactions processed on your account, and accept or reject these transactions based upon the results of the rules.
Before doing this however you will first need to log into your MyOpayo area. Also you must make sure the user you are logging into MyOpayo has the administration privileges to do so.
Once you have logged into your MyOpayo account you will then need to activate the checks on your account.
To do this click on the settings tab, followed by 3-D Secure.
You will then be able to activate the 3-D Secure scheme and manage the rules within your account.
Now that you have activated 3-D Secure you are able to add rules to your account. By selecting add rule within your MyOpayo you are able to add conditions to your account based upon the results of the 3-D Secure authentication.
Once you have selected add rule you will then be presented with the add a new 3-D Secure rule screen.
This screen will allow you to add a start value, and end value to the rule and then add the restrictions to the rule.
Within this screen you are presented with 5 options when adding rules to your account. You are free to select as many, or as few of these options as you see fit:
Each option that is selected will allow transactions that meet the criteria to be successfully sent for authorisation.
If the transaction does not meet the requirements of the rules that have been set, the transaction will be rejected and appear on your account as a failed transaction.
Now that you have added one rule to your account you are able to have more if you want.
In order to add multiple rules to your account you simply need to complete the same steps as above.
When adding another rule you cannot have the start, or end values overlapping as this will not be allowed on the system and not add the rule to your account.
Multiple rules are used when you would like additional security over multiple price ranges. This also enables you to vary the levels of security on your account depending on the price ranges you wish to implement.
Just like Verified by Visa and MasterCard Secure code, American Express SafeKey is there to offer password protection to shoppers who have an American Express card.
The scheme gives shoppers the chance to assign a password to their card and verify this when processing a transaction.
You will be taken to the SafeKey screen once your card details have been captured and prompted to enter a password in order to complete your order.
American Express automatically enrol all accounts in their SafeKey scheme so they are ready for the new SCA regulations. Opayo register these details as part of the process of adding American Express to your account, all you need to do is activate it in MyOpayo once your American Express merchant number is Live. Full instructions on how to do this can be found here
If you would like to know more about SafeKey use the button below to be taken to the American Express website.
We’ve put together some commonly asked questions to provide additional guidance on the new strong customer authentication regulation and what it mean for your business. If you can’t find what you’re looking for contact us, our customer support team are on hand to help 24-7.
PSD2 was introduced as a follow up to the original Payment Services Directive (PSD) by the European Commission, it took effect in January 2018. The aim was to bring in new laws to increase customer protection, foster innovation and inspire pan-European competition.
A key element of PSD2 is the introduction of the Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA) which applies to card-based ecommerce transactions in the European Economic Area (EEA).
Strong Customer Authentication was due to come into force in the UK on 14 September 2021. The Financial Conduct Authority (FCA) announced a 6-month extension to the deadline in recognition of the exceptional circumstances of the Covid crisis. The final implementation date was 14 March 2022. The next milestone in the SCA implementation timeline is the retirement of 3DSv1 by card schemes on 15 October 2022.
From the 1 June 2021, card schemes gradually begin their implementation of Strong Customer Authentication and ecommerce transactions increasingly being checked for 3-D Secure compliance. We recommended that merchants enable 3DSv2 before this date to ensure no disruption to payment processing as the ramp-up begins.
The first step to achieving SCA compliance, is to ensure your ecommerce payments have version one enabled. You can find out how to do this on page 8 of our MyOpayo User Guide.
3DSv2 functionality is now available to Opayo customers in our test and live environments giving merchants an early opportunity to test how best to incorporate SCA compliance together with an improved user experience at checkout.
Strong Customer Authentication makes payments more secure for both your business and the customer by adding an extra layer of protection known as two-factor authentication (2FA). Customers are now required to provide at least two of the following forms of identification when making a payment:
All ecommerce transactions are being processed via secured industry protocol such as 3-D Secure from 14 March 2022 (with some exemptions detailed below).
Payment fraud losses have been steadily increasing for nearly a decade with little sign of easing. Merchants increasingly face a delicate balance between ensuring customer security and convenience, while minimising fraud and friction.
Strong Customer Authentication has been introduced to help combat fraud by improving customer security while reducing the liability held against businesses for unauthorised transactions.
Today, payments are typically authenticated using 3DSv2 (sometimes known as verified by Visa, Mastercard SecureCode, Amex SafeKey, Diners ProtectBuy, and JCB J-Secure) where the customer is asked to provide additional authentication data such as a password or an SMS verification code.
From March 2020, UK card issuers and/or acquirers began to gradually step up payments, requesting for 3-D Secure to be performed with two-factor authentication (2FA). When 3DSv2 is used, around 90% to 95% of authentication requests have resulted in a frictionless authentication, where the customer doesn’t even realise that authentication has taken place.
Contactless card machine transactions are subject to new rules. Card issuers are required to prompt the cardholder to perform a chip and PIN transaction each time their cumulative contactless spend reaches £150 since their last chip and PIN transaction.
During a 3-D Secure authentication, how the authentication is performed is up to the card issuer. Opayo’s upgrade to 3DSv2 introduces a better user experience:
When 3DSv2 is enabled, it is estimated that only 5% to 10% of authentications result in the cardholder having to be re-directed to their bank’s 3-D Secure page to enter 2FA. Most authentication requests result in a frictionless authentication with an authorisation rate of up to 90%. What’s more, liability for unauthorised transactions passes to the card issuer, saving you time and money on potential disputes.
Since 14th March 2022 the card issuing banks have expected full 3-D Secure V2 authentications for in session e-commerce transactions, any non-3D Secure transactions after this point risk declining. 3-D Secure V1 will be decommissioned by the card schemes on 15th October 2022, therefore your integration needs to fully support 3-D Secure V2 verifications by this date.
3DSv2 functionality is now available to Opayo customers in our test and live environments giving merchants an opportunity to test how best to incorporate SCA compliance together with an improved user experience at checkout.
You can find out how to do this on page 10 of our MyOpayo user guide.
Your integration type determines if you need to make any further changes to support 3DSv2:
If you don’t know which integration your website uses, you can find this in MyOpayo by clicking on any successful payment, then choose Additional Details from the left menu. You will see the integration in the System Used field.
There are several exemptions to SCA that may be requested to improve the payment experience.
You first need to speak with your acquirer to get their approval of any exemptions you choose to use. Once your acquirer has advised of suitable exemptions for your business model, you can request an exemption on a per transaction basis when submitting your transaction request to Opayo. If you choose to use an exemption, any chargeback liability is passed to you for the transaction.
The card issuer may not always agree with your exemption. In this instance, they may return a ‘soft decline’ and request that 2FA is performed.
Card issuers will allow your customer to add you as a trusted beneficiary, either during 2FA, or when they log into their card account. Once they have added you as a trusted beneficiary, you can apply for this exemption so that this applies every time they shop with you.
Recurring transactions or subscriptions
After initial set up, a subscription or membership fee consisting of repeat payments of the same amount to the same payee i.e. direct debit, will be exempt from authentication. Since your customer is off session when a recurring transaction is performed, they cannot be expected to perform an authentication. However, 2FA must be performed for the first transaction of a recurring series, where your customer is in-session.
Trusted Risk Analysis (TRA)
This exemption can be used if you have a low chargeback rate. Typically, between 1 and 13 chargebacks per 10,000 transactions. It varies depending on the transaction amount value up to and including £430 (€500). You cannot use this exemption for transaction values over £430 (€500). Overall fraud rates for card payments must not exceed the following thresholds:
0.13% to exempt transactions below £90 (€100)
0.06% to exempt transactions below £215 (€250)
0.01% to exempt transactions below £430 (€500)
Low-value transactions (LVT
A Low Value Transaction (LVT) is one that is 30 EUR or less. This exemption is permitted for a maximum of five LVT per card account, per day, where the cumulative value does not reach more than €100 a day. If the cardholder uses their card to make 5 consecutive low value payments, or a total that exceeds €100, SCA will be required. This is not a straightforward exemption; your customer could already have consumed their permitted allowance elsewhere before purchasing an item from your website. If this is the case, the card issuer may “soft-decline” the transaction and request that your customer performs 2FA.
You can only use this exemption if you have participated in a delegated authentication program with the card schemes, where the card scheme approves delegation of the authentication process to you.
Secure Corporate payment
If your customer is using a corporate card, that is a lodged corporate card (typically used to book travel for all employees of a company), then this exemption can be used. It cannot be used for personal corporate cards.
Strong Customer Authentication applies to card-based ecommerce transactions (including digital wallets backed by cards) where both the card issuer (i.e. financial institution with whom cardholder has relationship) and the acquirer (i.e. financial institution with whom the merchant has a relationship) both reside within the European Economic Area (EEA).
As an example, if your customer is making a purchase with a card issued outside of the EEA, then SCA does not apply. If your customer is making a purchase with a card issued inside the EEA, but your acquirer is registered outside of the EEA, then SCA does not apply.
(Sole trader, or partnership with 3 or less partners)
(All other customers)
(Opayo gateway only)